Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco 857 and Sonicwall NSA 2600 VPN

Posted on 2014-01-27
4
Medium Priority
?
1,093 Views
Last Modified: 2014-02-20
I am trying to set up VPN through my NSA 2600, from an iPad, the NSA is connected to he 857 which is connected to the internet.

I have applied the following to my Cisco Router

ip nat inside source static tcp 192.168.10.104 1701 interface ATM0.1 1701
ip nat inside source static udp 192.168.10.104 500 interface ATM0.1 500
ip nat inside source static udp 192.168.10.104 5500 interface ATM0.1 5500
ip nat inside source static udp 192.168.10.104 1701 interface ATM0.1 1701

On the sonicwall I have.....

Enabled VPN
Enabled "WAN GroupVPN"
Authentication IKE with pre shared Secret
Proposals as Default
Created a group in AD called VPN Users, added myself to it, selected that group for Xauth (I use RADIUS with ldap to authenticate users)
Clicked set default root as this gateway.

Now when I am trying to VPN in I get these errors

1      UTC 01/27/2014 16:32:37.496      Debug      VPN IKE      SENDING>>>> ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID)      192.168.10.104, 500      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      VPN Policy: WAN GroupVPN              
2      UTC 01/27/2014 16:32:37.496      Info      VPN IKE      NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device                                   
3      UTC 01/27/2014 16:32:37.496      Info      VPN IKE      NAT Discovery : Local IPSec Security Gateway behind a NAT/NAPT Device                                   
4      UTC 01/27/2014 16:32:37.496      Debug      VPN IKE      RECEIVED<<< ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (KE, NON, NATD, NATD)      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      192.168.10.104, 500      VPN Policy: WAN GroupVPN              
5      UTC 01/27/2014 16:32:37.400      Debug      VPN IKE      SENDING>>>> ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x2664a834586237a6, MsgID: 0x0) (SA, VID, VID)      192.168.10.104, 500      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      VPN Policy: WAN GroupVPN              
6      UTC 01/27/2014 16:32:37.400      Info      VPN IKE      IKE Responder: Received Main Mode request (Phase 1)      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      192.168.10.104, 500                     
7      UTC 01/27/2014 16:32:37.400      Debug      VPN IKE      RECEIVED<<< ISAKMP OAK MM (InitCookie:0xb731b6b79cde278f RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID)      xx.xx.xx.xx, 500, host-xx.xx.xx.xx.dslgb.com      192.168.10.104, 500


This is from an Ipad using L2tp VPN

Does anyone know what I can do to resolve this issue please.
0
Comment
Question by:CaptainGiblets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 8

Expert Comment

by:amatson78
ID: 39813072
If this is for a client connection curious why you are trying to setup a site to site VPN as it looks in your configs? You would want to use a client VPN setup not a site to site. Also the iPad has SSL VPN app have you tried using that which is way more intuitive?

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/A_8751-SonicWALL-SSL-VPN-application-for-iPhone-iPad-iPod-Touch.html
0
 
LVL 6

Author Comment

by:CaptainGiblets
ID: 39814746
I have set up SSL-VPN but I only have 2 licences. I can always look at getting more but I am still having problems getting my VPN users out to the internet. They can get on internal things with the VPN set up and I have enabled Tunnel All.

However when I try to browse the internet I get the message

1      UTC 01/28/2014 11:57:39.320      Info      SSLVPN      SSLVPN Traffic      192.168.17.221, 49760, X0 dan james      192.168.16.200, 53                     
2      UTC 01/28/2014 11:55:13.912      Notice      Network Access      Web access request dropped      192.168.17.221, 49842, X0      67.203.139.148, 80, X1, whatismyipaddress.com      HTTP

I have set up a NAT between the SSLVPN and External
22      SSLVPN IP Pool      X1 IP      Any      Original      Any      Original      X0      X1      22            Enabled

And under firewall access rules I have this

      SSLVPN      >      WAN      1      SSLVPN IP Pool      Any      Any      Allow      All      None                                         Enabled        Edit this entry A service depends on this rule
 27      SSLVPN      >      WAN      2      Any      Any      Any      Allow      All      None                                                Edit this entry Delete this entry

What am I missing for SSLVPN external access?
0
 
LVL 26

Accepted Solution

by:
Blue Street Tech earned 2000 total points
ID: 39843867
Hi CaptainGiblets,

NetExtender in Tunnel All mode forces all traffic to be routed over the SSL-VPN adapter. To allow your end users access to internet over the UTM-SSLVPN, you will need to allow “WAN RemoteAccess Networks” (a network address object whose value 0.0.0.0 acts like a default route), and the Tunnel All option must be selected on the Client Routes page.  The method below is appropriate when the administrator wants all of their NetExtender users to have their internet access provided through the SSL-VPN otherwise disable Tunnel All mode.  Be sure that you are not overwhelming the internet bandwidth at the location where the firewall is installed, as this traffic will be added to the other loads from inside the network.
Step 1: On the SonicWALL, go to SSL-VPN > Client Routes screen, enable the Tunnel All option in the drop down menu.

Step 2: On the Users > Local Groups screen, configure SSLVPN Services group and under tab “VPN Access,” add the object WAN RemoteAccess Networks.

Step 3: No custom rules are needed on the Firewall > Access Rules screen for this to work.  You can see auto-added rules in the section SSLVPN to WAN.
Let me know if you have any questions!
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39847278
Have you tried my solution yet? (http:#a39843867)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question